Skip to main content

Google OAuth Credentials

Google OAuth credentials are used to authenticate and authorize applications to access Google services on behalf of a user. These credentials are critical for enabling secure communication between applications and Google APIs, such as Gmail, Google Drive, and Google Calendar. Exposure of these credentials can lead to unauthorized access to sensitive user data and services, posing significant security risks.

How Does It Look

OAuth credentials can appear in various contexts, such as:

  • Environment variables

    export GOOGLE_OAUTH_TOKEN="ya29.a0AfH6SMC..."

  • Configuration files (JSON)

    {
      "client_id": "1234567890.apps.googleusercontent.com",
      "client_secret": "XyZ12345abc",
      "refresh_token": "1//04iabcDEF123..."
    }

  • Code snippets

    oauth_token = "ya29.a0AfH6SMC..."

  • Connection strings

    oauth2://client_id:client_secret@googleapis.com

Severity

  • 🔴 Critical

OAuth credentials provide access to a wide range of Google services and user data. If compromised, an attacker could gain unauthorized access to sensitive information, manipulate data, and perform actions on behalf of the user. The blast radius is extensive, potentially affecting all services linked to the Google account.

What Can an Attacker Do?

With immediate access to OAuth credentials, an attacker can impersonate the user and interact with Google services:

  • Access sensitive data: Read emails, documents, and calendar events (if the credential has read permissions).
  • Modify or delete data: Alter or remove files and emails (if write permissions are granted).
  • Send emails: Use the user's email account to send phishing or spam messages (if email scope is included).
  • Access billing information: View or modify billing details (if the account has billing scope enabled).

An attacker could also escalate privileges by exploiting other linked services or applications, potentially leading to further unauthorized access and data breaches.

Real-World Impact

Exposure of OAuth credentials poses significant business risks, including:

  • Data Exposure: Unauthorized access to emails, documents, and other sensitive data (if the credential has read access to sensitive data).
  • Financial Loss: Potential misuse of billing information or unauthorized resource usage (if billing/resource creation is permitted).
  • Operational Disruption: Interruption of services or data integrity issues (if the attacker has delete/modify permissions).
  • Reputational Damage: Loss of customer trust and brand reputation due to unauthorized actions performed on behalf of the user.

In worst-case scenarios, attackers could leverage exposed credentials to conduct widespread phishing attacks or data breaches, causing cascading effects across the organization.

Prerequisites for Exploitation

  • Network access requirements: Internet access to interact with Google APIs.
  • Additional context needed: Knowledge of the specific Google services and endpoints being accessed.
  • Rate limits or restrictions: Google API rate limits may apply, potentially slowing down exploitation attempts.

How to Verify If It's Active

To verify if an OAuth credential is active, use the following command:

curl -H "Authorization: Bearer [TOKEN]" https://www.googleapis.com/oauth2/v1/tokeninfo

Valid credential response: A JSON response with token details, including scopes and expiration.

Invalid/expired credential response: An error message indicating the token is invalid or expired.

Detection Patterns

Common Variable Names:

  • GOOGLE_OAUTH_TOKEN
  • GOOGLE_CLIENT_ID
  • GOOGLE_CLIENT_SECRET
  • GOOGLE_REFRESH_TOKEN
  • OAUTH_ACCESS_TOKEN
  • OAUTH_REFRESH_TOKEN

File Locations:

  • config.json
  • credentials.json
  • .env
  • settings.yaml

Regex Pattern:

"client_id":\s*"[0-9a-zA-Z\-]+\.apps\.googleusercontent\.com"

Remediation Steps

  1. Revoke immediately - Go to Google Cloud Console > APIs & Services > Credentials and delete the compromised OAuth client.
  2. Audit access logs - Review Google account activity logs for unauthorized access or actions during the exposure window.
  3. Assess blast radius - Identify all applications and services that used the exposed credential.
  4. Rotate credential - Create a new OAuth client in Google Cloud Console with least-privilege permissions.
  5. Update dependent systems - Deploy the new credential to all applications and update CI/CD pipelines securely.
  6. Harden access controls - Enable OAuth consent screen verification and restrict API scopes to only necessary permissions.
  7. Implement secrets management - Migrate credentials to a secrets manager (HashiCorp Vault, AWS Secrets Manager) to prevent hardcoding.
  8. Add detection controls - Set up pre-commit hooks and repository scanning to catch credential leaks before they reach production.

Credential exposures often go undetected for extended periods, increasing the window for exploitation. As a long-term strategy, plan to establish an internal process or engage an external vendor for continuous external exposure monitoring. This helps identify leaked secrets across public repositories, paste sites, dark web forums, and other external sources before attackers can leverage them. Proactive detection and rapid response are essential to minimizing the impact of credential leaks.

References